Introduction
Before beginning this article, it is necessary that you have successfully completed the article Install and Configure vSEC:CMS on First Use.
It is possible to unblock a smart card without having to go through a challenge/response protocol to unblock the smart card PIN. This mechanism is referred to as a PIN Unlock Code (PUC) or sometimes referred to as PUK.
In order to use the PUC feature, the smart card will need to be issued with a PUC PIN. Additionally, the smart card will need to support PUC.
Follow the instructions in this article to setup a card template that can be used to issue a Windows smart card logon certificate and extract a PUC PIN during the card issuance process.
The PKI used in this example use case will be an MS CA.
The smart card type that will be managed in this use case will be a generic mini-driver smart card token.
Step 1 - Setup a PIN Policy Template
It will be necessary to configure a PIN policy with PUC support enabled. The PIN policy will be set on the smart card during the issuance.
1. From the Templates - PIN Policies page click the Add button.
2. Enter a template name and from Card type drop-down list select the card type for the smart card token that the template will be used to manage.
3. Enable the Unblock using PUC check box.
4. Click Save to save and close.
Step 2 - Configure Data Export
It will be necessary to extract the PUC code that is created during the smart card issuance. The PUC code is needed if it is required to perform offline PIN unblock.
In this example, we will configure a data export template of type file in order to export the PUC code to a file.
1. From Options - Connections click the Configure button.
2. Select Data Export and add this to the Selected pane and click Ok.
3. Click Data Export to open the configuration dialog.
4. Click the Add button and enter a template name and for Target select File (export to file). Under File select Write automatically to file and for Filename enter location where the file is to be written to.
5. Click the Format button to configure the details that you want written to the file. In this example, it is important to select the variable ${Puc} as this will be the actual PUC code generated by the vSEC:CMS during the issuance. In this example, we will also select ${UserId} from the Available pane and add this to Export to file pane which will write the users ID to the extract file.
6. Click Ok and Save to close and save the template.
Step 3 - Configure Card Template
1. Navigate to Options - Smart Cards page. When the page is loaded attach the smart card token that is to be issued with the vSEC:CMS. The vSEC:CMS will filter the card type and present the smart card template available in the vSEC:CMS.
2. Select the entry and click Edit. For Smart Card Access ensure that Use minidriver if possible is selected and click Save.
3. From Templates - Card Templates click the Add button.
4. Click the Edit link for General.
5. Enter a template name and attach the smart card token that is to be issued and click the Detect button to allow the vSEC:CMS to detect the smart card token type that is to be used for this card template. Click Ok to close the dialog.
6. Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.
7. Click the Edit link for Issue Card.
8. From User ID Options section enable Assign User ID and select the AD connection already configured.
9. From Enroll Certificate Options section enable Enroll certificate(s) and click the Add button. Select the CA connection already configured from the Certificate Authority drop-down list and select the smart card logon certificate template as configured on your CA from the Certificate template list and click Ok to save and close the dialog.
It is important that the Windows smart card logon certificate template on the CA is configured to require an authorized signature. From the Issuance Requirements tab for the certificate template properties on the CA make sure to enable This number of authorized signatures and set a value of 1 and for Application policy drop-down list select the Certificate Request Agent option.
10. Click Ok to save and close.
11. For Initiate card click the Edit link.
12. Enable the System set PUC checkbox and click the Configure button.
13. From the drop-down list select the data export file configured earlier and click Add.
14. Click Ok to save and close the dialog.
15. Click Ok to save and close the settings.
16. Click Ok to save and close the template.
Step 4 - Issue Smart Card Token
1. From the Lifecycle page attach the smart card token that is to be issued and click the Issued oval. Select the card template from the Select card template drop-down list and click the Execute button.
2. Enter the Operator token PIN (Passcode) code when prompted.
3. Select a user from AD that the smart card token is to be issued to.
4. When the issuance completes a message dialog indicating that an authentication key has been added to the vSEC:CMSwill appear followed by a short summary dialog with details on what operations have been performed.
The smart card token is now in an Issued state as can be seen from the process diagram. By default, the smart card PIN will be blocked so it will be necessary to unblock the smart card. Typically, the person who will use this smart card will set the PIN code on the smart card.
5. Click the Active oval and click the Execute button.
6. Enter the Operator token PIN (Passcode) code when prompted.
7. Enter the PIN code that will be set on the smart card token. Click Initiate to set the PIN code on the smart card and make it active.
8. A summary dialog will appear. Click Ok to close.
9. If you open the PUC exported file that the extracted PUC code was written to you should see the user ID and the smart card PUC.
You can use, for example, the vSEC:CMS User Self-Service application to perform a PIN unblock using the PUC code from the My PIN - Unblock PIN(PUC) page.